Threat of the Week: XP Menace Multiplies

The menace represented by the nation’s many millions of computers running Windows XP - which Microsoft will stop patching April 8 – just may be multiplying.

The issue is not the XP fleet inside credit unions. Most financial institutions, said the experts, know Microsoft is ceasing support, they know their regulators will be monitoring their transition off XP, and they have plans.

Some plans are better than others, some credit unions may not have any plan – but, as a rule, financial institutions are tackling this problem.

But there is a huge XP problem they aren’t tackling. The venerable operating system is running on computers used by credit union members who will be accessing online banking, possibly other services, with machines that may well be infected with malware exploiting newly discovered vulnerabilities.

XP, understand, is a relic, but a widely used relic. It went on sale to the public in October 2001. Right now, it powers nearly one-third of computers in use globally. Upgrade paths for those many millions of computers are unclear. Most of them also are relics, many could not run Windows 7, certainly not Windows 8, the latest version (released in 2012). Bottom line: Come April 9 there still will be millions of computers running XP.

“What new risks will financial institutions face on April 9th,” asked Tom Hinkel, director of compliance at Safe Systems, an Alpharetta, Ga., IT vendor to the financial services industry. “XP will enter a life phase where it forever is in a zero day exploit,” meaning that daily new holes may be poked in the system by criminals, knowing that those holes will remain unplugged as long as Microsoft sticks to its resolve to turn its back on XP.

Some experts ominously say that lately there have been releases of very few XP exploits. The implication is that cyber criminals have been stockpiling exploits – counting down to Microsoft’s end of support – and they will release them after Microsoft’s final patch. So there may be an avalanche of exploits coming on the scene in mid-April.

Two big questions have to be asked: How big are the risks members running XP represent to credit unions; and also: Is it in the best interest of credit unions to work with vulnerable members to educate them about XP risks?

Advised Jason Blackett, a product manager at Utah-based software developer Novell, “Financial institutions have to make sure they are hardened against these attacks on the server side.”

“There really will be no easy way for financial institutions to mitigate risks posed by member computers,” Blackett added.

The first-line threat is simply that the member’s computer becomes riddled with malware, such as the Zeus keylogger and hitherto unidentified malware.

It gets scarier from there. What if hackers concoct a way to use an infected XP machine to infect a credit union’s servers? Impossible? Maybe. But maybe not because, suddenly, XP will become a playground for hackers seeking to launch new kinds of attacks, and there is no saying what they will or won’t do.

Next Page: Message to the Members

As for what credit unions can do, Hinkel urged that “the financial institution has to reach out, they have to make the effort to educate the customer. It would be trivial to put a pop up on online banking: ‘You May Be Using an Insecure Operating System.’”

That is: As members log into online banking with XP, tell them they may have risks that need attending to.

Still more needs to be done with the highest-risk members. Hinkel stressed that the savvy credit union will quickly identify its highest-risk members – in most cases, these will be small businesses using XP for online banking – then “do an outreach.”

That could pay big dividends because many may be unaware that continued use of XP puts them at risk. Few consumers are believed to be aware of XP’s scheduled end of support. More businesses know, but many do not. A recent survey by Evolve IP found that 19% of mid-market companies were unaware of Microsoft’s end of support for XP. Thirty percent of C-suite executives in those mid-market companies were unaware of the end of life.

Most credit unions, added Hinkel, “could count the number of high-risk members on the fingers of one hand. It’s worth the effort to reach out, to educate them.”

Presently, no security expert contacted by CU Times suggested that credit unions simply cut off access to members using XP. “They risk the wrath of the customers if they make their systems unfriendly to XP,” Blackett said.

Blackett, however, urged credit unions to monitor the XP threat landscape, staying informed about new threats and keeping tabs on new releases of any financially focused malware.

That kind of intelligence will help credit unions keep their high-risk members abreast of the changing dangers.

And that just may be enough to help both the credit union and its members dodge the risks continued use of the 13-year-old operating system will bring.